[dns-operations] Possibly-incorrect NSEC responses from many RSOs

Viktor Dukhovni ietf-dane at dukhovni.org
Sun Feb 28 01:58:55 UTC 2021


On Sun, Feb 28, 2021 at 12:32:23PM +1100, Mark Andrews wrote:

> It says that RRSIGs exist at that name. 

But there is no *signed* RRSIG RRSet as such, and positive responses to
queries with type RRSIG are always insecure, and can always just be
outright lies, with no way to check.

Since the NSEC bitmap protects against NODATA forgery, it makes no sense
to include RRSIG here, because any RRSIG response can never be
validated.

So it makes no sense to include RRSIG in the NSEC bitmap.  This still
looks like a mistake.

-- 
    Viktor.



More information about the dns-operations mailing list